Managing the information technology function within a CPA firm often causes frustration within the owner group as they seldom understand the intricacies of IT and often view the function as an expense, rather than a strategic investment in their firm’s profitability.  These same owners are comfortable reviewing the firm’s financial information and are often presented with “Flash Reports” that give them a condensed view of operations, allowing them to quickly understand the firm’s status on key performance indicators; so why not apply this concept to IT?  Network integrators such as the Xcentric Group in Atlanta, have provided their clients with a proactive monthly IT summary that let’s them know the status of their IT infrastructure, as well as comments on existing and potential issues.  According to Trey James, President of Xcentric: “we encourage our customers to leverage automated system tools whenever possible to take the load off of IT staff and provide a summary of network operations.“ 

These reports can be developed by your in-house personnel or your outsourced IT department (if an external company is used).  It is recommended that they be provided to the internal IT champion at least monthly, who will verify that the network infrastructure is sound and report to the firm’s Executive Committee.  It is also recommended that the analysis be explained to the entire owner group at least once per year, so they can be assured that the IT function is being effectively managed.  Below, we summarize items which firms might consider for their IT flash report: 

• Server Hard Drive Capacity/Utilized: Today’s hard drives can hold astounding amounts of information, but can shut down a firm’s operations if they have inadequate space for processing current applications, particularly during busy season when the volume of new PDF files increases, as well as the amounts of entries in the time and billing system.  The flash report should list the capacity for each server, the amount of disk space utilized, and the amount of hard disk space remaining, which should never be below 20%.  Event logs should also be reviewed to identify any application or hardware component failures, as well as to view procedures to clean up or defragment drives.
• Data Backup: The most critical component of a firm’s disaster response is the verification that all data is backed up, verified, and stored securely offsite.  Firms should monitor that backups are completed at least daily, the amount of data backed up (compared to what is on the servers) and the remaining capacity on the tapes.  The report should also include the start and finish time for the backup process to make sure that it does not impede on the core workday hours, when it is most expensive to kick staff off the system to complete the backup.  Tape backup systems are extremely expensive and it is imperative that owners be aware of requirements for a new one at least a year in advance.
• Server Patch Management: Firms must monitor security and operating system patches to ensure that the firm is being adequately protected, while at the same time being aware of conflicts with existing accounting applications.  As network operating systems release new patches, the IT department should coordinate updates with their core application vendors (tax, practice, audit engagement and document management) to minimize conflicts, and determine the optimal schedule for implementation. 
• Firewall Testing: The firm’s firewall is the primary defense against hacking attempts from the Internet and the IT department must verify that no unauthorized ports are being utilized.  Port tests such as Shield’s Up from GRC.com, will validate which ports are accessible and should be tested at least monthly.  Outside resources that can test the firm’s systems against the top security threats from the CSI/FBI study can also be found at SANS.org and CISecurity.org.
• Internet Monitoring: Internet appliances can also monitor the websites visited listing the percentage and frequency of these visits to ensure that Internet access is focused on production websites.  Applications such as Websense and iPhantom can monitor activity and also make management aware of applications that consume bandwidth resources such as continuous audio or video feeds and the number of times that individuals attempt to violate firm filtering or access policies.
• Bandwidth Optimization: Firms rely on the Internet for communications, research and system upgrades and must monitor bandwidth resources.  The report should list the amount of bandwidth contracted for, as well as actual throughput for both upstream and downstream communications including statistics for a redundant Internet connection.
• Email Filtering: Anti-viruses, spam and other malware can have a severe impact on firms if not properly managed.  Virus footprints are often updated daily so even if the process is automatic, it must be verified and owners should be notified of the number of email viruses that were removed as well as viruses found on workstations.  Spam and spyware continue to be major time wasters; the report should list the volume of these items removed.
• UPS Systems: Uninterruptible power supplies are an important component of a firm’s disaster planning and automated tools should be set to verify that the batteries are still holding the anticipated charge and that they will send appropriate notification to the IT department in the event of an outage.
• Workstation Management: Owners should be aware of the versions of Windows and Microsoft Office loaded on computers to ensure they are in compliance with licensing and so they can plan for future upgrades.  The firm’s inventory should list all applications, licenses and the number of users to ensure that licensing policies are not breached.
• Password and Usage Policy: Most firms will change passwords at least twice per year and provide an update on computer usage policies for both internal and remote user policies.  These reminders should be scheduled in advance and the status presented in the report along with a validation that passwords have been changed appropriately and all terminated passwords are inaccessible
• IT Project Management: The report can also list the number of IT issues addressed as well as those items that are still outstanding. Timeframes, impacts and cost for any projected IT projects should be listed at least one year out so that management is not surprised by unplanned expenditures.  A comprehensive budget should be prepared listing the current expenditures as well as projections for the next two years.  While many IT personnel have a variety of applications available for IT management or utilize the Microsoft office in smaller firms, there are a number of IT help desk and network automation tools that can help with monitoring such as Numera, Track-It!, and i-Sight.

Providing firm management with a flash report that summarizes the health of the firm’s IT infrastructure can go a long way to providing owners comfort that mission critical IT processes are being effectively monitored.  Build your firm’s IT flash report and start educating your firm today.

This article is reprinted with permission from the CPA Technology Advisor and appeared in the April/May 2006 issue. Roman H. Kepczyk, CPA, CITP is president of InfoTech Partners North America, Inc. and works exclusively with CPA firms to implement today’s leading best practices and technologies